JAKKS PACIFIC INC - (JAKK)
10-K Filing Date: March 15, 2024
JAKKS has adopted a cybersecurity framework to help manage and mitigate cybersecurity risks.
JAKKS has implemented cybersecurity policies, processes and procedures to aid in the identification, protection, detection of cyber related issues, and the response to and recovery from cybersecurity breaches. A summary of the principal activities JAKKS has undertaken to strengthen its cybersecurity posture and mitigate its cybersecurity risks:
● | A subcommittee of the Board of Directors has been established to oversee and manage the company’s risk, response, and recovery policies, processes, and procedures related to, and stemming from, cyber-related issues; | |
● | Purchased cybersecurity risk insurance to protect against potential losses arising from a cybersecurity incident; | |
● | Implementation of quarterly vulnerability and penetration tests to identify, and if necessary, remediate, any potential risk to the organization; | |
● | Engaged two (2) third-party service providers to monitor JAKKS systems for anomalous activity (24 hours a day, 365 days a year); | |
● | Conduct disaster recovery exercise on a yearly basis; | |
● | Implemented a revised and updated phishing email training program; and | |
● | Retained a consultant to act as the Company’s Virtual Chief Information Security Officer (VCISO), who has more than 20 years of experience in various cybersecurity roles (e.g., managing information security, developing cybersecurity strategies, implementing cybersecurity and incident response programs, etc.) to oversee the implementation and performance of the Company’s cybersecurity program. |
As part of our cybersecurity program, the Company’s VCISO, Senior Vice President of Operations and Vice President of Information Technology, collectively referred to as our “Cybersecurity Team,” reviews our cybersecurity posture, identifies areas in need of improvement, and helps foster a culture of compliance (including training of all employees). Our Vice President of Information Technology has over 20 years of experience in various roles involving managing information security, developing cybersecurity strategy, and implementing cybersecurity program. The Company’s program also includes activities to respond to and recover from cybersecurity incidents, including processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
Our Cybersecurity Team assesses cybersecurity risks, including those related to our supply chain and third-party service providers that have access to our systems or facilities where JAKKS’ data is stored. The team assesses how cybersecurity risks affect or are reasonably likely to materially affect the Company, including our operations or financial position. Our Cybersecurity Team is responsible for the Company’s risk assessment, risk management, disaster recovery, and auditing of JAKKS overall cybersecurity program. The Cybersecurity Team meets with the Cybersecurity Subcommittee of the Board of Directors to discuss, identify, and address cybersecurity risks and review updates to our risk management program to ensure cybersecurity risks to the organization are mitigated. For further discussion of the risks associated with cybersecurity incidents, see the cybersecurity risk factors beginning on page 22 of the section entitled “Item 1A. Risk Factors” in this Form 10-K.
In December 2022, the Company learned of a cybersecurity threat to its information technology system (“IT System”), and that certain data, including personal data of employees, had been extracted from the Company’s IT System. Upon learning of the cybersecurity threat, the Company launched an investigation and undertook prompt action, including employing containment protocols to mitigate the impact of the threat, engaging third-party information technology cyber security and forensics experts and special legal counsel, and utilizing additional security measures to help safeguard the integrity of its IT System’s infrastructure and the data contained therein. The Company has not identified any material damage suffered from the incident.